SEARCH

Maximizing Business Value and Improving Strategy for Organizations and Teams All executives and senior management responsible for compliance will be well aware of how difficult it is to ensure that value creation is protected and progress is being made towards stakeholder objectives. These outcomes are often not well articulated and even when they are the means by which outcomes are achieved are usually not. Focus on effort over results is the name of the game while the board sits hoping for the best. Is there a better way to ensure outcomes are achieved? "It's a common trap to assume that outcomes are known and a mistake to place all emphasis on the outputs of work." – Alex Yakyma It is relatively easy to identify and manage outputs to ensure that they are on time, on budget, and on spec. This domain is well understand with vast amounts of knowledge, expertise, and practices to improve the certainty that outputs are created with a defect rate of 3.4 defects per million opportunities (i.e. six sigma). We are very good at doing this or at least know how to do it. However, when it comes to realizing outcomes this is not as easy and is often left to chance. Companies hope that their good intentions and hard work will produce the outcomes they are looking for. However, the road of good intentions often does not deliver what we want or what we need. Alex Yakyma in his book, "Pursuing Enterprise Outcomes" unpacks the nature of outcomes, how they are created, and how to improve the probability that you produce the outcomes you have targeted. This is a world that is not as well defined, often non-linear, and always in the presence of uncertainty. Yakyma provides a comprehensive framework that adds needed structure to this domain as presented in his book where he covers: The killer of Organizational performance How to Uncover Disconnects In Pursuit of Outcomes The Science and the Art of Probing The Mystery of Business Value Complex Bottlenecks and Emergent Solutions Strategy and Leverage Points Excerpts from the book: Complex tasks progress at the speed of managing unknowns. Doing the wrong work faster is false progress. For complex tasks, the ability to navigate is more important than velocity. Behaviours in a complex system can only emerge. Any attempt to "design" behaviour to match an expectation will only result in waste. To succeed with the ultimate outcome, all lower-level outcomes need to have owners who hold responsibility for the outcomes, not outputs. A disconnect anywhere in the outcome chain easily jeopardizes the ultimate outcome of the task. Outcomes provide meaning and structure to business value. Business value helps determine how effectively the outcomes are achieved. Strategy is the way in which system behaviour can be vectored toward a favourable outcome. What I like about this book: The concepts of outcome chains and connections, the emergence loop, and the nature of outcome uncertainty provide a solid structure to explore how to better advance outcomes. The author provides many good examples that help illustrate key concepts and principles. Every chapter has exercises that teams can work on to help reinforce learning and stimulate discussion. I highly recommend this book for anyone who is responsible for the creation of outcomes related to regulatory, safety, security, quality, environmental and operational objectives.

One of factors that hold companies back from improving their compliance is ambivalence; having mixed feelings or contradictory ideas about what goals to have and what approach to follow. This uncertainty contributes to the lack of motivation to act which is a significant cause for failing to achieve operational and effective compliance. Knowing where you are going Having somewhere positive to go to that is well articulated and realistic will help motivate change. We need to know what the pot of gold is that we are going after. However, all too often, we find that companies have vague ideas of what compliance should do and what the outcomes should be. The opposite is also common. Many companies are very specific and clear about their compliance destination. In fact they have already arrived as stated in their declaration that they are following all applicable laws and regulations. Where else is there to go when you believe that you are already there? What we need to understand is that the compliance landscape has changed and so has the destination and the measures to get there. Compliance has moved beyond prescriptive specifications to outcome and performance targets that requires continuous improvement and the effective management of risk. Compliance is not measured by whether you are comply or not but instead is measured by the level of certainty you have in achieving your compliance goals and objectives. As risk is never static continuous risk management is needed to keep companies operating between the lines in the presence of uncertainty. All of this changes the goals and objectives for compliance. Knowing what is behind Knowing where you are going is not enough to be properly motivated. You also need the motivation that comes from being aware of the danger of staying where you are. You need be aware of the dragon that is chasing you from behind as well as the the pot of gold that is in front of you to sustain proper motivation for change. The dragon facing companies these days are the effects that come from not addressing all their stakeholder obligations. These have a negative impact on mission success, reputation and ultimately trust. As a result, you may still be left with a regulatory licence to operate but you may not have a business that investors want to invest in or customers want to buy from. If ESG (Environmental, Social, and Governance) investing and the downstream impact on environmental programs continues to gain traction learning how to navigate the broader compliance landscape will be a decisive factor in avoiding the dragon that is behind. Knowing how to get there So how to you move from ambivalence to action? Here are three steps you can follow to improve and sustain your motivation: Describe what your compliance destination looks like in realistic and specific ways – the piece of heaven that you are striving for. Describe what your designation looks like if you don’t improve – the slice of hell that you want to avoid. Establish a program that continuously advances your business towards its destination and avoids the dangers of staying where you are. Making progress is a huge motivation for even more progress. Everyday is a chance to improve your compliance so let's not waste it.

When it comes to risk & compliance no one wants to be surprised. That’s why organizations put in place controls of various kinds to avoid them. While surprises are not desirable and cannot always be avoided there is something that can be far worse which is not being surprised at all. When something bad occurs it is not uncommon for someone to say, “I am not surprised that this happened.” Hearing this offers little comfort to those negatively impacted by the surprise. But why? When preventable incidents occur associated with safety, environmental, quality or regulatory objectives not acting when it was possible to do so is perhaps more concerning than the impact of inaction. Finding out that something could have been done and wasn't is often an indication of a failure in duty of care, negligence, or simply not caring at all. It is no wonder that we might feel anything other than comfort after hearing that someone was not surprised. To avoid the surprise of not being surprised organizations need to ensure that their risk management does more than just create a list of what might or could go wrong. They also need to act to create the outcomes that an organization wants and avoid the ones that it doesn't.

Compliance is often considered as a hindrance more than a help. Many organizations believe that they might do better if they were less encumbered by having to meet obligations. The philosopher Emmanuel Kant pondered the same kind of thing using the following metaphor: “The light dove, in free flight cutting through the air the resistance of which it feels, could get the idea that it could do even better in airless space. “ Without the resistance of air to contend with the dove thought it might soar higher. There is an art to flying. Too much drag or not enough resistance will prevent flight from occurring. However, removing the air altogether is removing what is essential for the dove to fly. It is the very act of contending with air that enables the dove to soar. The same might be said about compliance. It is the process of meeting obligations that a business develops the art of compliance. Removing the need to meet obligations is removing what is essential for companies to achieve its goals. Without obligations to contend with organizations would not get off the ground. Resistance is not always a hindrance. Resistance can be the very thing that strengthens our abilities. It helps the dove to fly higher and an organization to achieve higher standards. We know that when it comes to meeting safety, quality, and environmental obligations that it is by meeting standards that a company develops the capability to be safe, to create quality, and to reduce its impact on the environment. This is what vision zero objectives are all about. It is not the goals so much as the struggle to get closer to them that matters most. It is the striving that creates excellence not in spite of these goals but because of them. Obligations are the air beneath an organization’s wings. It provides the resistance needed for flight. What does this means for organizations that want to improve their compliance? Perhaps, instead of trying to remove obligations or doing the minimum, invest in your people and processes to learn how to become excellent at the art of compliance. You may end up not only getting off the ground but you may actually start to soar.

Over 3 years ago we launched Lean Compliance in response to the lack of sustainable compliance effectiveness across mostly ever sector as organizations struggled under the weight primarily of existing and changing prescriptive regulations and standards. The compliance landscape was also starting to transform as regulators were modernizing their programs to become more risk-based as they moved towards performance and regulatory designs. While the impact of this transformation would ultimately reduce the weight of regulation it would require different skills and a new mindset; something that many organizations did not have or have time to learn. To navigate this new landscape companies would need to become more proactive, own their obligations, and commit to continual improvement. Instead of inspection and audit regimes as the trigger for improvement, companies would need to set obligation goals, measure progress, and manage risk. Performance rather than checkbox compliance would become the new mandate. However, organizations were too busy being reactive, fighting fires, and had little time to be proactive and for the most part didn't know how. Space also needed to be created for improvement to occur. This is where LEAN would help to eliminate waste and create capacity to escape the reactive uncertainty trap and allow companies to begin their journey towards proactive certainty of their compliance objectives and goals. This birthed The Proactive Certainty Program ™ which we launched to effect our mission to help companies lift the weight of regulation and improve their compliance effectiveness in a sustainable way through continuous improvement over time. As our mission continued we quickly realized that not much had been written about effective compliance and specifically how performance and outcome-based obligations might be managed. So we started to do research and explored what this all might look like which we wrote about in blog posts every week. With every post (over 200 at this point), presentation, webinar, and consulting engagement we begain to lay the foundation for Effective Compliance. We started at the source of the obligations and worked our way to the outcomes that companies committed to achieve. This resulted in the formulation of: A regulatory classification model An obligation taxonomy The Compliance Value Chain The Proactive Certainty Model™ The 10 Rules for Effective Compliance A proactive accountability management framework A proactive model for governance risk and compliance (GRC) Strategies to apply systems & risk-based thinking, and lean & performance management to improve the probability of meeting obligations. A system of measures: effectiveness, performance and conformance to help govern (i.e. steer) towards better outcomes Digital strategies to improve the probability of mission success and numerous other methods and practices. Many of the concepts and principles we presented were in the form of diagrams to help describe behaviors, relationships, and elements as we worked towards a comprehensive operational model to effectively manage obligations. Several have commented and indicated how much you have benefited from the insights communicated in these diagrams and blog posts over the last three years. This has been instrumental by providing valuable feedback which we have used to improve the utility of our models. This has been very satisfying for us and a source of much encouragement which we are truly grateful. It has been a fantastic journey so for but there is still much to do. We would love to help more companies escape the reactive uncertainty trap and realize the benefits that come from effective compliance programs. One of the things we are working on is compiling all our work and creating an Effective Compliance Handbook . We will keep folks posted as we get closer to publication. If you want to launch your own mission towards effective compliance compliance, consider our 12-week virtual boot camp. Through weekly coaching sessions we help you develop a detailed improvement roadmap for one of your compliance programs: quality, safety, security, environmental, regulatory, risk, process safety, or pipeline safety. To learn more contact us at bootcamp@leancompliance.ca (individual and team rates available). Continue to be safe and proactive.

Help us better understand the state of compliance programs in your industry by participating in our 2017 Compliance Program Survey. This will take 10 minutes of your time and by participating you will receive a copy of the final report. If you are involved with PSM, HSE, Security, Quality, Regulatory, IT / Cyber Security, or any other compliance program we want to hear from you. Click here to take part of our survey. Thank you in advance for taking part to help advance compliance outcomes. #Survey

Someone once asked the question, "why do cars have brakes?" The answer given was, "so they can go fast!" What brakes do for cars is what compliance does for companies. They allow companies to go fast by helping them stay between the lines. In recent years, many companies have invested significant effort in ways to help them go faster. Several strategies have been used including Agile and LEAN techniques and methods. These approaches have functioned as an accelerator for business processes and have in many cases produced remarkable results. While a faster engine may help you to go fast, you also need a braking system that is just as capable. The faster you go the better the brakes need to be. However, brakes are only one part of what makes a car effective and safe. A car also needs (among other things): A driver to choose the destination and pilot the vehicle A guidance system to identify optimal routes Limits (speed, traffic lights, etc.) to keep everyone safe Guard rails to minimize injury Lines that tell us when we are off-side Newer vehicles have the ability to tell drivers when they have crossed the line, when it is safe to make a lane change, and when they are no longer on course. Intelligent braking systems also keep cars from losing traction so they can safely slow down. However, getting to your destination safely requires more than these, it also depends on the skills and actions of the driver. When I first learned to drive we were taught what is still called, "defensive driving skills." These were skills defined as, "driving to save lives, time, and money, in spite of the conditions around you and the actions of others." Its aim was to reduce the risk of collision by anticipating dangerous situations. We practiced these skills until they became second nature. I have continued to use these skills ever since and by doing so kept me and my family safe for over 30 years. This is what it means to be a good driver. Not that you never have an accident but rather that you have the skills and mindset to reach your destination safely. Just as we need drivers to be good we also need companies to be the same. Similar strategies as "defensive driving" can be learned and applied to meeting and maintaining compliance. Unfortunately, many companies have only the equivalent of guard rails to let them know when they are off-side. They need to crash into a rail before they realize they crossed the line and lost control. This is what happens to those that only use audits to manage compliance. Audits are necessary but ineffective at protecting our businesses and keeping everyone safe. Drivers that practice defensive driving skills plan and act in such a way to arrive at there destination on time and safely. It is not a choice between one or the other. Companies must also meet multiple goals with regards to compliance whether they include: safety, security, quality, environmental, financial or otherwise. They do not need to sacrifice one for the other and neither should they. This is what it means to take ownership of all your compliance obligations which is necessary for companies to be ethical. The cybernetic law of Inevitable Ethical Inadequacy (introduced in a previous blog) states, “If you don’t specify that you require a secure ethical system, what you get is an insecure unethical system." Without including ethical goals in your systems they will regulate away from being ethical towards other goals predominately being financial and short term. We know that most companies want to be ethical as stated in their mission and value statements where words such as: integrity, respect, safety, quality, and social responsibilities are often used. Unfortunately, many of these same companies use a reactive compliance model that was developed only to verify the integrity of financial statements and protect against fraud. However, the dynamics of the systems needed to achieve non-financial goals are different and require proactive strategies that anticipate conditions in the same way that we use defensive driving skills to anticipate dangerous situations. Next to audits, training is the predominate method used by companies to achieve compliance. This training tends to be technical in nature similar to learning how to drive a car and rarely includes "defensive skills." There are areas such as safety where defensive skills are taught and reinforced. However, for the most part, compliance for many is about checking off boxes to meet prescriptive standards. Companies can improve their compliance by teaching their workers defensive skills rather than only focusing on compliance actions. In addition to defensive skills, we can also consider greater degrees of automation and embedded compliance in our work processes. Current advancements in autonomous driving provide helpful insights into how automated compliance can work. Understanding that we may never want full automation as compliance decisions are ethical in nature since they involve risk trade-offs and that is something that cybernetics does not address. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. In 2014, SAE International published their standard for driving automation (J3016) that defines six levels of autonomous driving: This chart provides a means to compare against similar automation in compliance systems and processes. What we find is that many companies are only operating at a level 0 as they provide little to no automation to assist workers in meeting compliance obligations. In fact, many do not even provide the equivalent of defensive skills training and only teach workers to follow prescribed steps. No wonder the effort applied to audits is so high and increasing. Levels 3 and above do not have a human monitoring the environment and in the case of Level 4 and 5 do not have a human to fall back on should highly ethical decisions need to be made. Therefore, these levels may not be suitable for compliance support and arguably not desirable for autonomous vehicles either. Nevertheless, partial automation and compliance assist systems are helpful in providing workers with greater visibility of compliance obligations either in terms of objectives that need to be met along with limits that need to be observed. Looking forward, companies that want to see more of their ethical values realized in their organizations will benefit from applying proactive strategies such as defensive skills to help workers better meet compliance obligations. In addition, increasing the level of automation while maintaining human accountability will provide greater and immediate certainty of compliance and reduce the spiraling increase and dependence on audits. It is better to know that you might cross a line so you have the opportunity to make course corrections. The alternative, is hitting the guard rail and reading a police report that states the obvious. The first is proactive and the latter is reactive compliance which is preventable.

The Center for Chemical Process Safety (CCPS) recently published a monograph that provides insights for managing Process Safety during the COVID-19 pandemic and other similar crises. It incorporates input from many CCPS member company representatives. It is organized by the RBPS elements and human factors impact is addressed in multiple areas. The top three elements of highest importance are: Process Safety Culture, Asset Integrity & Reliability and Management of Change. Occupational safety and health aspects are not the focus in this document. You can download this monograph using this link CCPS also has published a BowTie for Covid-19 analysis which you can also find here #managedsafety #covid

Increasingly, companies are adopting continuous improvement driven by several methodologies that include LEAN and AGILE. However, the overarching driver is the desire to achieve continuous delivery of value. These approaches fundamentally change how a business operates and impacts all aspects of the value chain including the processes that support them such as productivity and compliance programs. Production processes have moved towards continuous flow by applying LEAN principles. IT has done the same by combining development and deployment (ie. DEVOPS) to support continuous delivery. However, compliance for the most has lagged behind and still functions using the old factory model using an audit-fix cycle which is too slow to keep up with continuous change. A major contributor to why companies haven not taken a proactive approach to compliance is that they do not know exactly where they are going with their compliance. The lack of clear and concise goals makes it difficult to select strategies and to measure effectiveness. In fact, most companies do not even measure the cost of compliance. However, even knowing the cost, without goals you cannot know if you are over or under investing. To properly establish goals you need to first define your compliance obligations and this means specifying: outcomes - what you want to accomplish, objectives - how you intend to accomplish them, risks - what are the threats and opportunities to meeting objectives and achieving outcomes, critical to compliance - evidence of compliance measures of performance - ability to achieve system objectives measures of compliance - key compliance results or indicators critical to compliance success measures of effectiveness - progress towards program outcomes Compliance obligations serve to properly align programs, systems and processes and makes it possible to apply proactive strategies to continuously meet them. Defining compliance obligations increases the certainty compliance can be met, but as importantly, that compliance outcomes are advanced on a continuous basis. Continuous value requires continuous improvement which requires continuous compliance . #ContinuousImprovement #continuouscompliance

The purpose of a compliance management system is to maintain state which is achieved through consistency, reduction of variation, and achieving objectives. However, the purpose of a compliance management program is to change the state or condition with respect to compliance outcomes. This is achieved by adjusting the underlying systems to improve performance and maintain a higher standard. Continually advancing performance is required to meet "persistent achievement" obligations specified by performance / outcome-based regulations and standards. In order to continually advance quality, safety, environmental and regulatory outcomes there are 4 changes you must continually make: Re-orient policies to support continual advancement of outcomes Re-calibrate values to match the outcomes that will be achieved Re-engineer systems to create the capabilities needed to reach new performance targets Re-align processes to achieve compliance objectives #continuousimprovement

The administration problem is primarily that of reducing uncertainty within the organizational system (Organizational Strategy, Structure, and Process - 1978). Solving it involves more than simply rationalizing systems and processes already developed (uncertainty reduction); it also involves formulating and implementing those processes which will enable the organization to continue to advance outcomes. This necessarily impacts how risk & compliance systems are implemented. For managed compliance programs (i.e. safety, quality, environmental, regulatory) to be effective they must align with the specific goals, objectives, and strategies of the organization. These will be different based on each organizational type: Defender, Prospector, and Analyzer. Each type will also influence your approach to meeting obligations. Any mismatches in systems architecture will end up hindering the advancement of both business and compliance outcomes. Which organizational type best matches your business posture? Does your approach to risk & compliance align with this posture? #effectivecompliance #grc #managedrisk #managedsafety

Risk-based thinking is at the center of recent changes to compliance standards, guidelines, and regulations. One of the areas where risk-based thinking is being applied is within the operations of a business. This is the domain of operational risk management which is defined as: "The risk of direct or indirect loss due to inadequate or failed internal processes, people and systems, or from external events." – Basel II This definition comes from the financial and insurance sector although is still useful for other industries as operational risk management continues to gain traction there. However, this definition is likely to change as trends to include positive risk increase (ex. ISO 31000). Whether risks are negative or positive, an important step in any risk-based approach is the identification of the risks themselves. This requires (among other things) an understanding of where risks come from. Knowing the sources can help not only to identify risks but also how best to manage them. It is possible to think about these sources in relationship to operational systems and processes. These relationships can be classified as: extrinsic, intrinsic and emerging. For the purpose of this article, the following compliance systems model (introduced in a previous article ) will be used. Although, in principle, these definitions can apply to each component of any process or system. Extrinsic Risk These are risks that are external to the system that affect the underlying processes and activities. These risks may be introduced due to changes (shown in red in the above model) to: scope, critical to compliance requirements, resources, funding, strategies, best practices and program controls that are placed on the system. Risks may also come from other external sources that have been identified at the corporate level. A significant source of system risks arises because of changes, it is therefore important to have an effective management of change process to identify these risks and manage them. This is even more critical when the system is vulnerable to emerging risks. Intrinsic Risk These risks are inherent in the process and activities. These may be in the form of latent or active failure modes, gaps in capabilities, uncertainties in work plans, or process variability. There are two common approaches to identify and treat these kinds of risks: Risk Assessment – as part of an initial or periodic assessment, levels of risk are calculated for each activity or place were value is added. Steps can then be taken to decrease the uncertainties or minimize or exploit the consequences to better achieve the desired system objectives. These assessments assume a relatively static process where risks are not changing often. Risk-Based Process – this approach includes an embedded risk screening at the front end to determine which path to take given the level of risk associated with either the work to produce the output or the output itself. Separate work streams based on the level of risk can accelerate cycle times and also ensure that the appropriate amount of rigor (ex. further risk assessment) are applied when needed. This technique is used frequently when using stage-gate methodologies such as for: projects, change and design processes; and is effective to identify emerging risks as assessments are done each time the process is initiated. Emerging Risk These are risks that are developing or changing as a system evolves. These are often the most difficult to identify and to understand. Emerging risks can be classified as: Newly created risks Newly identified or noticed risks Changes to such things as likelihood, severity, causes, consequences, and control effectiveness for existing risks Periodic risk assessments are useful to update risk profiles to take into consideration emerging risks. Risks identified using the risk-based process, mentioned previously, can also be used to update the system risk profile so that they can be monitored. Knowing where risks come from can ensure that appropriate triggers are created so that risks are appropriately identified, managed, and effectively treated. As companies continue to change at an increasing rate to improve their business processes it is essential that risk-based approaches keep up. Conducting risk assessments periodically may not be enough. However, embedding them inside processes will enable companies to stay on top of new and emerging risks so they can stay proactive. #riskmanagement #grc #managedsafety